I'm successsfully using nss_ldap and pam_ldap with client<=>server and
server<=>client X.509 certificate verification using the following config:
client side:
-----------
BASE dc=contraption,dc=com
HOST ldap.contraption.com
ldap_version 3
ssl on
ssl start_tls
tls_ciphers TLSv1
tls_checkpeer yes
tls_cacertfile /opt/OPENldap/etc/openldap/certs/cacert.pem
tls_cert /opt/OPENldap/etc/openldap/certs/clientcrt.pem
tls_key /opt/OPENldap/etc/openldap/certs/clientkey.pem
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=People,dc=contraption,dc=com?one
server side:
-----------
etc...
TLSCertificateFile /usr/local/openldap/etc/openldap/ldap.contraption.com.crt
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/ldap.contraption.com.key
TLSCACertificateFile /usr/local/openldap/etc/openldap/CAcert.pem
TLSVerifyClient 1
However, the 'CN' value of my client certificate are completely ignored,
as I can install the same certificates across several clients (machines in
this case) and they will work. I'm therefore deducting that provided the
client certs have been signed by my trusted CA (my own in this case) the
'CN' value is unimportant?
Is there a way to enforce 'CN' checking against a directory entry which details
DNS hostname, or even better IP address, in OpenLDAP?
Any help greatly appreciated.
Steve